Ensure Data Isolation Between Organisations During Aggregation

• Given a coordinator from organisation A triggers aggregation, when the aggregation query runs, then only activity records with organisation A's tenant identifier are included
• Given the platform has records from multiple organisations, when aggregation completes, then the summary totals are consistent with the count of records belonging exclusively to the coordinator's organisation
• Given an attempt is made to access another organisation's records, when the query executes against Supabase, then row-level security policies block the access and no cross-org data is returned
• Given aggregation runs for a multi-chapter organisation, when chapter data is compiled, then all included chapters belong to the same organisation root
• Given a data isolation violation is detected during testing, when the violation is logged, then the aggregation is aborted and an error is returned rather than proceeding with contaminated data

Sharing a multi-tenant platform across competing organisations demands strict data isolation. A cross-contamination incident would constitute a GDPR breach exposing beneficiary data, destroy trust between organisations, and potentially invalidate Bufdir submissions for multiple organisations simultaneously. Enforcing isolation at the database and service layer is a non-negotiable regulatory and contractual requirement.

• Multi-Organization Data Isolator data
• Supabase Aggregation RPC Functions infrastructure
• Aggregation Query Builder data
• Bufdir Aggregation Service service
• Bufdir Metrics Repository data

• Run Bufdir Activity Aggregation with Progress Feedback critical